Prev
Next
Forums S3 Systems Administration

LDAP Unable to Bind Sporadically

Sort:
You are not authorized to post a reply.
Author
Messages
Carl.Seay
Veteran Member
Posts: 109
Veteran Member
9/10/2011 2:39 AM
    Hello,

    We are having an issue where our LDAP is unable to authenticate users with AD.  This is causing MSCM print files to go into error status, Process Flows are failing on AGS calls, and all users are having sporadic issues accessing the portal.

    We see an LDAP error in the security_auth.log:
    Wed Sep 07 14:01:31 EDT 2011 - 1178551871: javax.naming.CommunicationException: lrmcad.lrmcnet.com:389 [Root exception is java.net.ConnectException: Connection refused]
    Wed Sep 07 14:01:31 EDT 2011 - 1178551871: Could Not Bind With privilieged identity.

    This is happening in all 3 of our separate environments.  This would point to a change to AD, but our network team has been unable to locate any changes.  If anyone has experienced this issue before, your advice would be greatly appreciated.  Lawson support has been unable to trace the issue.

    Thank You,

    Carl
    John Henley
    Senior Member
    Posts: 3348
    Senior Member
    9/10/2011 2:10 PM
      Try changing ldapbind from port 389 to port 3268. May also want to change from DNS to IP to remove DNS lookup dependency (yes, I know that defeats the purpose but you are trying to troubleshoot). Also make sure the search account used for the bind isn't used for something else (I.e. Don't use "lawson" for the bind!!)=
      Thanks for using the LawsonGuru.com forums!
      John
      Kwane McNeal
      Veteran Member
      Posts: 479
      Veteran Member
      9/10/2011 7:09 PM
        I'll further add a few tips of general troubleshooting:

        First, you don't say how you are bind to your AD Forest (domain name, DNS group, etc), so my advice is general.

        On the surface, it seems that you are binding to a group, and one or more of your members aren't actually DCs.

        the best way to determine this is to do an nslookup on the group, and get the list of members. Then attempt to use simple bind to connect to each server. If any of them fails, and you are binding to the domain name, you will need to setup a DNS group, excluding any controllers that are NOT authenticating DCs.

        Another approach is to bind to a front end LDAP instance that load balances (via proxy) to the correct server. This may be needed if your controllers are of different types (non-AD and AD due to a hetrogenous enterprise identity management environment).

        If you could provide a bit more about your setup, it would help us, to help you:
        1) Is your Lawson instance on UNIX, iSeries, or Windows?
        2) Are you binding to an IP, DomainName, DNS group, or AD DNS metagroup?
        3) Are all of your authentication targets on the same logical/physcial/virtual subnet as your Lawson Server?

        Hopefully this is helpful to you.

        Kwane
        Carl.Seay
        Veteran Member
        Posts: 109
        Veteran Member
        9/12/2011 12:52 PM
          Hi Guys,

          Thank you for your reply. I was able to temporarly resolve the issue by changing our LDAP bind from the main tree (ad.company.com) to a specific domain controller (ad101.ad.company.com). I think this means it's an AD issue and not related to Lawson.

          I'm planing on using your approach of getting the list of all DC's and try binding to each one. Hopefully, we're able to locate a DC that is not functioning properly, or was not intended to be part of the group of DC's.

          Thank you for the advice,

          Carl
          Carl.Seay
          Veteran Member
          Posts: 109
          Veteran Member
          9/12/2011 4:56 PM
            We had a non-DC associated with our DNS.
            You are not authorized to post a reply.